Linux Server Hardening Complete Guide
运维安全
Why Linux Server Hardening Matters
In the cloud-native era, Linux servers are the backbone of internet infrastructure. An unhardened server is like an open door — vulnerable to brute-force attacks, privilege escalation, data exfiltration, or being turned into a botnet node.
| Threat Type | Unhardened Risk | After Hardening |
|---|---|---|
| Brute Force | SSH password cracking highly successful | Key auth + fail2ban makes cracking nearly impossible |
| Privilege Escalation | Regular users can escalate to root | Least privilege + sudo auditing |
| Data Breach | Sensitive files readable by anyone | Access control + encryption + immutable attributes |
| Lateral Movement | No network isolation, one compromised = all compromised | Firewall whitelist + network segmentation |
| Supply Chain Attack | Any package can be installed | Auto security updates + integrity verification |
Security hardening is not a one-time task — it's a continuous operational security baseline. This guide covers the complete hardening workflow from initial assessment to ongoing monitoring.
Security Baseline Assessment
Automated Scanning Tools
Before hardening, you must understand the server's current security posture. Use these tools for baseline assessment:
# Install Lynis — open-source security auditing tool
sudo apt install lynis
# Run a full security audit
sudo lynis audit system
# View the audit report
sudo lynis audit system --report-file /var/log/lynis-report.txt
# Audit specific modules only
sudo lynis audit system --tests-from-group "authentication"
sudo lynis audit system --tests-from-group "firewall"
Manual Baseline Checklist
# Check open ports
ss -tlnp
netstat -tlnp
# Check running services
systemctl list-units --type=service --state=running
# Check security updates for installed packages
apt list --upgradable 2>/dev/null | grep -i security
# Check SUID/SGID files
find / -perm -4000 -type f 2>/dev/null
find / -perm -2000 -type f 2>/dev/null
# Check world-writable files
find / -perm -o+w -type f 2>/dev/null | grep -v '/proc\|/sys\|/dev'
# Check accounts with empty passwords
awk -F: '$2 == "" {print $1}' /etc/shadow
# Check if root can login remotely
grep "^PermitRootLogin" /etc/ssh/sshd_config
Compliance Checking with OpenSCAP
# Install OpenSCAP
sudo apt install openscap-scanner scap-security-guide
# Evaluate using DISA STIG profile
sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_stig \
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml \
--report /var/log/oscap-report.html
SSH Hardening
SSH is the primary channel for remote Linux server management and the attacker's first target. SSH hardening is the first line of defense.
Disable Password Authentication, Key-Only Login
# Generate ED25519 key pair (recommended, more secure and shorter than RSA)
ssh-keygen -t ed25519 -C "admin@server-01" -f ~/.ssh/id_ed25519
# Or generate RSA 4096-bit key (better compatibility)
ssh-keygen -t rsa -b 4096 -C "admin@server-01" -f ~/.ssh/id_rsa_4096
# Deploy public key to server
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server-ip
# Modify sshd configuration
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# /etc/ssh/sshd_config — SSH security hardening
# Disable password authentication
PasswordAuthentication no
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
# Disable root login
PermitRootLogin no
# Allow key authentication only
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# Change default port (avoid automated scans)
Port 2222
# Limit authentication attempts
MaxAuthTries 3
# Shorten login timeout
LoginGraceTime 30
# Disable empty passwords
PermitEmptyPasswords no
# Restrict allowed users
AllowUsers deploy admin@10.0.1.0/24
# Disable unnecessary auth methods
HostbasedAuthentication no
GSSAPIAuthentication no
KerberosAuthentication no
# Use strong encryption algorithms
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
# Disable X11 forwarding and port forwarding (if not needed)
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
# Client keepalive detection
ClientAliveInterval 300
ClientAliveCountMax 2
# Validate config syntax then restart
sudo sshd -t && sudo systemctl restart sshd
Configure fail2ban Against Brute Force
sudo apt install fail2ban -y
# /etc/fail2ban/jail.local
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
banaction = iptables-multiport
action = %(action_mwl)s
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 7200
[sshd-ddos]
enabled = true
port = 2222
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 5
bantime = 86400
sudo systemctl enable --now fail2ban
# View banned IPs
sudo fail2ban-client status sshd
# Manually unban an IP
sudo fail2ban-client set sshd unbanip 192.168.1.100
Firewall Configuration
Using UFW (Uncomplicated Firewall for Ubuntu)
sudo apt install ufw -y
# Default deny all incoming, allow all outgoing
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (match the port in sshd config)
sudo ufw allow 2222/tcp comment 'SSH'
# Allow HTTP/HTTPS
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'
# Allow specific IP to specific port
sudo ufw allow from 10.0.1.0/24 to any port 5432 proto tcp comment 'PostgreSQL from internal'
# Enable firewall
sudo ufw enable
# View status and rules
sudo ufw status verbose
sudo ufw show added
# Delete a rule
sudo ufw delete allow 80/tcp
Using nftables (Recommended Replacement for iptables)
sudo apt install nftables -y
# /etc/nftables.conf
table inet firewall {
chain input {
type filter hook input priority 0; policy drop;
ct state established,related accept
ct state invalid drop
iif lo accept
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply } accept
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem, echo-request, echo-reply } accept
tcp dport 2222 accept comment "SSH"
tcp dport { 80, 443 } accept comment "HTTP/HTTPS"
tcp dport 5432 ip saddr 10.0.1.0/24 accept comment "PostgreSQL internal"
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
sudo systemctl enable --now nftables
sudo nft list ruleset
iptables Rules Example
# Flush existing rules
sudo iptables -F
sudo iptables -X
# Default policies
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
# Allow loopback interface
sudo iptables -A INPUT -i lo -j ACCEPT
# Allow established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH
sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
# Allow HTTP/HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Save rules
sudo apt install iptables-persistent -y
sudo netfilter-persistent save
User and Privilege Management
Use sudo Instead of Direct root Access
# Install sudo
sudo apt install sudo -y
# Create new user and add to sudo group
sudo adduser deploy
sudo usermod -aG sudo deploy
# Configure passwordless sudo (specific commands only)
sudo visudo -f /etc/sudoers.d/deploy
# /etc/sudoers.d/deploy — Least privilege sudo configuration
# Allow deploy user to restart specific services
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart postgresql
# Allow viewing logs
deploy ALL=(ALL) NOPASSWD: /usr/bin/journalctl
# Prevent using sudo su or sudo bash for escalation
deploy ALL=(ALL) !/bin/su, !/bin/bash, !/bin/sh
User Groups and Permission Separation
# Create functional groups
sudo groupadd webadmin
sudo groupadd dbadmin
sudo groupadd logreader
# Add users to corresponding groups
sudo usermod -aG webadmin deploy
sudo usermod -aG dbadmin dbuser
# Set group ownership
sudo chgrp -R webadmin /var/www
sudo chmod -R 2775 /var/www
# Set database directory permissions
sudo chgrp -R dbadmin /var/lib/postgresql
sudo chmod -R 750 /var/lib/postgresql
PAM Authentication Module Hardening
# /etc/pam.d/common-password — Password complexity requirements
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
minlen=12 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
password requisite pam_pwhistory.so remember=5 enforce_for_root
# /etc/pam.d/common-auth — Login failure lockout
auth required pam_faillock.so preauth silent deny=5 unlock_time=900
auth [default=die] pam_faillock.so authfail deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc deny=5 unlock_time=900
# Set password expiration policy
sudo chage -M 90 -m 7 -W 14 deploy
# View user password policy
sudo chage -l deploy
File System Security
Critical Permission Settings
# /etc/shadow and /etc/gshadow must be root-readable only
sudo chmod 600 /etc/shadow /etc/gshadow
# /etc/passwd and /etc/group must be world-readable but root-writable only
sudo chmod 644 /etc/passwd /etc/group
# SSH directory permissions
sudo chmod 700 ~/.ssh
sudo chmod 600 ~/.ssh/authorized_keys
sudo chmod 600 ~/.ssh/id_*
sudo chmod 644 ~/.ssh/id_*.pub
# Restrict crontab access
sudo touch /etc/cron.allow
sudo chmod 600 /etc/cron.allow
echo "root" | sudo tee -a /etc/cron.allow
echo "deploy" | sudo tee -a /etc/cron.allow
Using Immutable Attributes to Protect Critical Files
# Set immutable attribute (prevents any modification, even by root)
sudo chattr +i /etc/passwd
sudo chattr +i /etc/shadow
sudo chattr +i /etc/group
sudo chattr +i /etc/gshadow
sudo chattr +i /etc/sudoers
sudo chattr +i /etc/ssh/sshd_config
# View attributes
lsattr /etc/passwd
# Remove immutable before making changes
sudo chattr -i /etc/passwd
# Re-set after modification
sudo chattr +i /etc/passwd
Disk Encryption
# Encrypt data partition with LUKS
sudo apt install cryptsetup -y
# Encrypt partition (WARNING: erases all partition data!)
sudo cryptsetup luksFormat /dev/sdb1
# Open encrypted partition
sudo cryptsetup luksOpen /dev/sdb1 encrypted_data
# Create filesystem
sudo mkfs.ext4 /dev/mapper/encrypted_data
# Mount
sudo mount /dev/mapper/encrypted_data /mnt/secure-data
# Auto-mount at boot (/etc/crypttab)
echo "encrypted_data /dev/sdb1 none luks" | sudo tee -a /etc/crypttab
Kernel Parameter Tuning (sysctl)
Network Security Parameters
# /etc/sysctl.d/99-security.conf
# Disable IP forwarding (non-router)
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Enable reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Ignore bogus ICMP error responses
net.ipv4.icmp_ignore_bogus_error_responses = 1
# SYN Flood protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
# Limit connection queue
net.ipv4.tcp_max_tw_buckets = 14400
File System and Memory Protection
# /etc/sysctl.d/99-security.conf (continued)
# Restrict ptrace (prevent debugging escalation)
kernel.yama.ptrace_scope = 2
# Enable ASLR (Address Space Layout Randomization)
kernel.randomize_va_space = 2
# Limit core dumps
fs.suid_dumpable = 0
# Restrict dmesg output to root only
kernel.dmesg_restrict = 1
# Restrict kexec loading
kernel.kexec_load_restrict = 1
# Protect hardlinks and symlinks
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.protected_fifos = 2
fs.protected_regular = 2
# Apply configuration
sudo sysctl --system
# Verify key parameters
sysctl net.ipv4.tcp_syncookies
sysctl kernel.randomize_va_space
System Auditing (auditd)
Installation and Configuration
sudo apt install auditd audispd-plugins -y
# /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
log_format = ENRICHED
max_log_file = 50
num_logs = 5
max_log_file_action = ROTATE
space_left = 100
space_left_action = EMAIL
admin_space_left = 50
admin_space_left_action = SUSPEND
action_mail_acct = root
Audit Rules
# /etc/audit/rules.d/audit.rules
# Delete all existing rules
-D
# Buffer size
-b 8192
# Failure mode
-f 1
# Monitor privileged commands
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k priv_escalation
-a always,exit -F arch=b64 -S chown,chmod -F auid>=1000 -F auid!=4294967295 -k perm_change
# Monitor critical file modifications
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers
-w /etc/ssh/sshd_config -p wa -k sshd_config
# Monitor system calls
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k file_delete
# Monitor network connections
-a always,exit -F arch=b64 -S connect -F auid>=1000 -F auid!=4294967295 -k network_connect
# Restart audit service
sudo systemctl restart auditd
# View audit logs
sudo ausearch -k sshd_config -ts today
sudo ausearch -k priv_escalation -ts recent
# Generate audit reports
sudo aureport -x
sudo aureport -k
Log Management and Monitoring
journalctl Persistent Configuration
# Create persistent journal directory
sudo mkdir -p /var/log/journal
sudo systemd-tmpfiles --create --prefix /var/log/journal
sudo systemctl restart systemd-journald
# /etc/systemd/journald.conf
[Journal]
Storage=persistent
Compress=yes
SystemMaxUse=2G
SystemMaxFileSize=100M
MaxRetentionSec=30day
RateLimitIntervalSec=30s
RateLimitBurst=1000
# View logs
sudo journalctl -u sshd --since "1 hour ago"
sudo journalctl -p err --since today
sudo journalctl -f # Live tail
Centralized Logging with rsyslog
# /etc/rsyslog.d/50-remote.conf — Forward logs to remote server
*.* @@log-server.example.com:514;RSYSLOG_TraditionalFileFormat
# /etc/rsyslog.d/99-security.conf — Separate storage for security logs
auth,authpriv.* /var/log/auth.log
kern.* /var/log/kern.log
mail.* -/var/log/mail.log
*.emerg :omusrmsg:*
Log Summaries with Logwatch
sudo apt install logwatch -y
# Generate today's log summary
sudo logwatch --output stdout --range today --detail high
# Daily automatic email report
sudo logwatch --output mail --mailto admin@example.com --range yesterday --detail med
Automatic Security Updates
sudo apt install unattended-upgrades apt-listchanges -y
# /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESMInfrastructure:${distro_codename}-infra-security";
};
Unattended-Upgrade::Package-Blacklist {
};
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Mail "admin@example.com";
Unattended-Upgrade::MailOnlyOnError "true";
# /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
# Verify automatic update status
sudo unattended-upgrade --dry-run --verbose
Container Security Basics
Docker Security Hardening
# /etc/docker/daemon.json
{
"icc": false,
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
},
"storage-driver": "overlay2",
"userns-remap": "default",
"no-new-privileges": true,
"seccomp-profile": "/etc/docker/seccomp.json",
"bip": "172.17.0.1/16",
"default-ulimits": {
"nofile": {
"Name": "nofile",
"Hard": 65536,
"Soft": 1024
}
}
}
# Container runtime security best practices
docker run -d \
--name webapp \
--read-only \
--tmpfs /tmp:noexec,nosuid,size=100m \
--tmpfs /run:noexec,nosuid,size=10m \
--pids-limit 100 \
--memory 512m \
--cpus 1.0 \
--security-opt no-new-privileges \
--security-opt apparmor=docker-default \
--cap-drop ALL \
--cap-add NET_BIND_SERVICE \
--user 1000:1000 \
myapp:latest
Podman Daemonless Containers
# Podman runs rootless by default — more secure
podman run -d \
--read-only \
--pids-limit 100 \
--memory 512m \
--cap-drop ALL \
--security-opt no-new-privileges \
myapp:latest
Intrusion Detection
AIDE File Integrity Detection
sudo apt install aide -y
# Initialize database
sudo aideinit
# Move initial database to production database
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Run integrity check
sudo aide --check
# Update database (after legitimate changes)
sudo aide --update
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# /etc/aide/aide.conf — Custom detection rules
# Strict checking for critical directories
/etc p+i+n+u+g+s+b+m+c+sha512
/root p+i+n+u+g+s+b+m+c+sha512
# Ignore frequently changing directories
!/var/log
!/var/run
!/proc
!/sys
!/dev
!/tmp
Rootkit Detection
# Install rkhunter and chkrootkit
sudo apt install rkhunter chkrootkit -y
# /etc/rkhunter.conf
UPDATE_MIRRORS=1
MIRRORS_MODE=0
WEB_CMD=curl
ALLOW_SSH_ROOT_USER=no
ALLOW_SSH_PROT_V1=no
DISABLE_TESTS=apps
# Update rkhunter database
sudo rkhunter --update
# Run system check
sudo rkhunter --check --skip-keypress
# chkrootkit detection
sudo chkrootkit
# Set up daily automatic check
echo "0 3 * * * root /usr/bin/rkhunter --check --skip-keypress --report-warnings-only" | \
sudo tee /etc/cron.d/rkhunter
SSL/TLS Hardening
Nginx SSL Configuration
# /etc/nginx/snippets/ssl-hardening.conf
ssl_protocol TLSv1.2 TLSv1.3;
ssl_cipher TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy strict-origin-when-cross-origin always;
Generate Strong DH Parameters
openssl dhparam -out /etc/nginx/dhparam.pem 2048
Common Attack Vectors and Defense
Defending Against DDoS Attacks
# Mitigate SYN Flood with sysctl
sudo sysctl -w net.ipv4.tcp_syncookies=1
sudo sysctl -w net.ipv4.tcp_max_syn_backlog=65535
sudo sysctl -w net.core.somaxconn=65535
# Limit connection rate with iptables
sudo iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
sudo iptables -A INPUT -p tcp --syn -j DROP
Defending Against Buffer Overflow
# Enable ASLR
sudo sysctl -w kernel.randomize_va_space=2
# Enable NX bit (No-eXecute, enabled by default on modern CPUs)
# Compile with -fstack-protector-strong
# Disable core dumps
echo "* hard core 0" | sudo tee -a /etc/security/limits.conf
Defending Against DNS Hijacking
# /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1 8.8.8.8
FallbackDNS=9.9.9.9
DNSOverTLS=opportunistic
DNSSEC=allow-downgrade
Cache=yes
CacheFromNetwork=no
Security Hardening Checklist
| Category | Check Item | Status |
|---|---|---|
| SSH | Disable password authentication | ☐ |
| SSH | Disable root login | ☐ |
| SSH | Change default port | ☐ |
| SSH | Configure fail2ban | ☐ |
| SSH | Use strong encryption algorithms | ☐ |
| Firewall | Default deny incoming | ☐ |
| Firewall | Only open necessary ports | ☐ |
| Firewall | Outbound rule restrictions | ☐ |
| Users | Remove unnecessary accounts | ☐ |
| Users | Configure least privilege sudo | ☐ |
| Users | Password complexity policy | ☐ |
| Users | Account lockout policy | ☐ |
| File System | Correct critical file permissions | ☐ |
| File System | Set immutable attributes | ☐ |
| File System | Encrypt sensitive partitions | ☐ |
| Kernel | Disable IP forwarding | ☐ |
| Kernel | Enable SYN Cookies | ☐ |
| Kernel | Enable ASLR | ☐ |
| Auditing | auditd rules configured | ☐ |
| Logging | Log persistence enabled | ☐ |
| Logging | Centralized log collection | ☐ |
| Updates | Automatic security updates | ☐ |
| Intrusion Detection | AIDE baseline established | ☐ |
| Intrusion Detection | rkhunter periodic scans | ☐ |
| SSL/TLS | Disable weak protocols | ☐ |
| SSL/TLS | HSTS enabled | ☐ |
FAQ
Q: Can't SSH login after hardening?
Make sure you've successfully deployed your public key and tested key-based login before disabling password authentication. Keep an active session open while testing new configurations in another terminal. If locked out, use your cloud provider's VNC console to log in and fix the issue.
Q: Connection fails after changing SSH port?
Check that the firewall allows the new port. Both UFW and iptables need synchronized rule updates. Also confirm SELinux/AppArmor allows the new port (on RHEL/CentOS: semanage port -a -t ssh_port_t -p tcp 2222).
Q: Can't modify files after chattr +i?
Use chattr -i to remove the immutable attribute, then re-apply with chattr +i after modification. Note: root cannot bypass immutable attributes — they must be removed first.
Q: Will automatic security updates cause service interruptions?
Security updates typically don't restart services — they only apply patches. However, kernel updates require a reboot to take effect. Configure Automatic-Reboot "false" and schedule reboots manually.
Q: How to test hardening measures without impacting production?
- Validate all configurations in a test environment first
- Use blue-green deployment or canary releases to apply gradually
- Maintain rollback plans (backup all configuration files)
- Harden in phases: SSH first → then firewall → then kernel parameters
Q: AIDE reports many changes — what to do?
Check if changes are from legitimate operations (package updates, config modifications). Update the AIDE database after legitimate changes. For unauthorized changes, initiate incident response immediately.
The hardening measures in this guide can be tailored to your specific business requirements. Refer to CIS Benchmarks and DISA STIG for more detailed compliance standards. Pair with ToolsKu's Hash Encryption Tool and SSH Key Generator for more efficient server security hardening.
Try these browser-local tools — no sign-up required →
#Linux#安全加固#服务器#运维#教程